[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] The following directory authorities recommend other client versions than the consensus: gabelmoo

On Fri, Feb 07, 2014 at 02:14:28PM +0100, tor-admin wrote:
> Sebastian, thanks for clarification. I remember there were some late changes  
> #9063, #9072, #9093, and #10169 which made it into 2.4.X because of the DOS 
> issues Rob Jansen described in https://blog.torproject.org/blog/new-tor-
> denial-service-attacks-and-defenses.
> Would it not be better to bring relays to a version that have defenses against 
> these new attacks? 

Nick and I met yesterday for some ticket closing and dev work, and part
of that ended up with the decision to un-recommend, mainly
because of general insecurity but also because it includes a hack for
hidden service reachability that we'd like to retire. And while we were
doing that, we decided to un-recommend a few more.

The 'recommended' versions list just controls whether a log message
appears in your logs -- so it is a pretty special user indeed who will
notice it. (In the past, the message also caused Vidalia to pop up a
little window for you. But at this point, anybody running an old Vidalia
bundle should probably upgrade.) The version was only still in
the list because Debian oldstable ships it and we didn't want to upset
the Debian world; we will continue to keep compatibility for a few more
months until Debian oldstable goes away.

As usual it's a balance between crying wolf too often and keeping most of
the network up-to-date. At this point most relays are on pretty recent
versions (or on, but those are slowly disappearing). So long
as much of the network is resistant to Rob's attacks, the few remaining
relays that aren't don't pose that much of a threat. Also, will
be coming out pretty soon, and there's another patch coming to do the
"exit stream" side of Rob's attacks. So I thought these steps would be the
right balance for now.

(And Sebastian, sorry for conspiring with tor26 to make these changes
while you were asleep. :) I'm still half expecting some Ubuntu or
something to be shipping one of the versions we un-recommended, and to
start getting a flood of user complaints. At which point we could back out
the changes until we'd made a better plan, or at least prepared better.)


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to